XSS via Dependency Proxy

Summary

Using the Dependency Proxy with a custom Maven URL it is possible to let the GitLab API respond with attacker controlled HTTP responses including HTTP Headers. This can be utilized to execute Cross Site Scripting attacks against users.

Steps to reproduce

Go to https://gitlab.com/$PROJECTPATH/-/settings/packages_and_registries and set a HTTP URL you control
The HTTP Server under that URL should respond with a HTML based XSS payload and set a CSP header as well as a Cache-Control header like so:

require 'sinatra'

get "/*" do
  response.headers["Content-Security-Policy"] = "unsafe-inline"
  response.headers["Cache-Control"] = "public, max-age=9999999999"

  "<script>alert(document.domain)</script>"
end

Construct the final URL like https://gitlab.com/api/v4/projects/$PROJECTID/dependency_proxy/packages/maven/foo/1/a
Visit the URL

What is the current bug behavior?

The dependency proxy allows attackers to craft responses under https://gitlab.com/api/v4/projects/$PROJECTID/dependency_proxy/packages/maven/.... with arbitrary HTTP headers and content. This includes overriding the Content-Security-Policy header and the Content-Type header to enable XSS.

What is the expected correct behavior?

The responses should not be able to modify existing or introduce new headers to responses. If needed for the dependency proxy to function an allow list should be implemented for necessary headers.

Output of checks

This bug happens on GitLab.com

cc @gitlab-com/gl-security/appsec

Edited May 24, 2024 by Joern Schneeweisz